NTP Monitor List Query UDP/123[1]

The NTP protocol daemon, in versions prior to 4.2.7, supported a feature which reported a list of up to 600 clients which had used the queried NTP server as their time reference.

If an attacker uses a spoofed source address then a victim can be flooded with considerable NTP traffic. The size of the response is typically considerably larger than the request and consequently the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. The solution is to disable “monlist” within the NTP server or to upgrade to the latest version of NTP (4.2.7) which disables the “monlist” functionality.

To prevent your NTP daemon being used in DDoS attacks it is necessary to disable “monlist” functionality. On a public-facing NTP server that cannot be updated to version 4.2.7 or later, add the “noquery” directive to the “restrict default” line in the system’s ntpd.conf, as shown below:

SNMP Queries UDP/161

IPscan performs three SNMP queries. SNMP supports a variety of versions and authentication methods and since IPscan cannot know the credentials to use to test your system it defaults to using commonly-used, and therefore insecure, community strings.

Port/Special Case

SNMP version

Test performed, credentials used

UDP/161

v1

GET with 'public' community string

UDP/161[1]

v2c

GET with 'private' community string

UDP/161[2]

v3

EngineID Discovery, credentials not required

This website publishes a Privacy Policy. Continued use of this website implies your consent to the use of data outlined in the policy.